For a long time, I didn't protect my actionable links from CSRF attacks. By actionable links, I mean links that will modify data on the server, e.g. "delete product", "publish post", "like". I'd always written these as regular "a href" links, but this can be a very easy to manipulate attack.